351| Virtual Private Networks AOS-W 6.5.3.x| User Guide
Parameter Description default default-rap default-cap
Export VPNIP address as
a route
When enabled, this
causes any VPN client
address to be exported to
OSPF using IPC.
NOTE: Note that the
Framed-IP-Address
attribute is assigned the
IP address as long as the
any server returns the
attribute. The Framed-IP-
Address value always has
a higher priority than the
local address pool.
enabled enabled enabled
User idle timeout The user idle timeout
value for this profile.
Specify the idle timeout
value for the client in
seconds. Valid range is
30-15300 in multiples of
30 seconds. Enabling this
option overrides the
global settings configured
in the AAA timers. If this is
disabled, the global
settings are used.
disabled N/A N/A
PAN firewalls Integration Requires IPmapping at
Palo Alto Networks
firewalls.
disabled disabled disabled
To edit the default VPN authentication profile:
1. Navigate to the Configuration > Advanced Services > All Profiles > Wireless LAN > VPN
Authentication page.
2. In the Profiles list of the left window pane, select the default VPN Authentication Profile.
3. Click the Default Role drop-down list and select the default user role for authenticated VPN users. (For
detailed information on creating and managing user roles and policies, see Roles and Policies on page 375.)
4. (Optional) If you use client certificates for user authentication, select the Check certificate common
name against AAA server checkbox to verify that the certificate's common name exists in the server.
This parameter is enabled by default in the default-cap and default-rap VPN profiles, and disabled by
default on all other VPN profiles.
5. (Optional) Set Max Authentication failures to an integer value. The default value is 0, which disables this
feature.
6. (Optional) Regardless of how an authentication server is contacted, the Export VPN IP address as a
route option causes any VPN client address to be exported to OSPF using IPC. Note that the Framed-IP-
Address attribute is assigned the IP address as long as any server returns the attribute. The Framed-IP-
Address value always has a higher priority than the local address pool.
7. (Optional) Enabling PAN Firewall Integration requires IPmapping at Palo Alto Networks firewalls. (For
more information about PAN firewall integration, see Palo Alto Networks Firewall Integration on page 689.)
8. Click Apply.
9. In the Default profile menu in the left window pane, select Server Group.
10.From the Server Group drop-down list, select the server group to be used for VPN authentication.
11.Click Apply.
To Next Page
Loading...